top of page
  • CCS

How to Perform a Risk-Based Audit

Updated: Jan 3

A risk-based audit has three key steps, as illustrated below.

Risk Assessment

Description: Performing risk assessment procedures to identify and assess the risks of material misstatement in the financial statements.

This includes the assessment of significant risks, control deficiencies and identified or suspected non-compliance with laws and regulations that will be addressed in the audit and communicated to Those charged with governance (TCWG).

The auditor would also select Key Audit Matters (KAM) for inclusion in the auditor’s report for listed entities and for all audits where ISA 701, related to key audit matters, is to be applied as required by local law, regulation or voluntarily.

Risk Response

Description: Designing and performing further audit procedures that respond to identified and assessed risks of material misstatement, at both the financial statement and assertion levels.


Description: This involves:

  • Forming an opinion based on the audit evidence obtained and the evaluation of the financial statement presentation and disclosures; and

  • Preparing and issuing a report that is appropriate to the conclusions reached.





审计师还将选择关键审计事项 [Key Audit Matters (KAM)] 纳入上市实体的审计报告,以及根据当地法律、法规的要求或自愿采用与关键审计事项相关的 ISA 701 的所有审计。





  • 根据所获得的审计证据以及对财务报表列报和披露的评价形成意见;以及

  • 编制并发布一份与所得出的结论相适应的报告。

A simple way of describing the three elements is illustrated below.


* an “event” is simply a business or fraud risk factor. This would also include risks resulting from the absence of internal control to mitigate the potential for material misstatements in the financial statements.

* 一个 "事件 "只是一个商业或欺诈风险因素。这也包括因缺乏内部控制以减少财务报表中重大错报的可能性而导致的风险。

The various tasks involved in each of these three phases are outlined below.


Risk Assessment | 风险评估

  1. Refer to ISA 230 for a more complete list of documentation required.

  2. Planning (ISA 300) is a continual and iterative process throughout the audit.

  3. RMM = Risks of material misstatement.

  1. 关于所需文件的更完整清单,请参考《国际审计准则》第230条。

  2. 规划(ISA 300)是整个审计过程中一个持续的、反复的过程。

  3. RMM = 重大错报的风险。

An effective risk assessment phase would include the following.

Up-Front Involvement of Senior Team Members

The engagement partner and other key members of the engagement team need to be actively involved in planning the audit, and in planning and participating in the discussion among engagement team members.

This will ensure the audit plan takes advantage of their experience and insight.

Note that ISAs usually refer to the term “auditor” as the person(s) performing the engagement.

Where an ISA intends a requirement or responsibility be fulfilled by the engagement partner, the term “engagement partner” rather than “auditor” is used.

An Emphasis on “Professional Skepticism”

The auditor cannot be expected to disregard past experience of the honesty and integrity of the entity’s management and those charged with governance.

Nevertheless, a belief that management and those charged with governance are honest and have integrity does not relieve the auditor of the need to maintain professional skepticism, or allow the auditor to be satisfied with less-than-persuasive audit evidence when obtaining reasonable assurance.


The time spent in audit planning (developing the overall audit strategy and audit plan) will ensure that audit objectives are properly met, and that the work of audit staff is always focused on gathering evidence on the most critical areas of potential misstatement.

Team Discussions and Ongoing Communication

A team planning discussion/meeting with the engagement partner present provides an excellent forum for:

  • Informing staff about the client in general and discussing potential risk areas;

  • Discussing the effectiveness of the overall audit strategy and the audit plan and then making changes as necessary;

  • Brainstorming how fraud could occur and then designing an appropriate response;

  • Discussing disclosures where there are higher risks of material misstatement; and

  • Allocating audit responsibilities and setting time frames.

Ongoing communication among the audit team throughout the engagement is also important, for example discussing and addressing audit issues, unusual activities or possible indicators of fraud.

This will enable timely communications to management and, where necessary, changes to the audit strategy and audit procedures.

Focus on Risk Identification

The most important step in a risk assessment process is to identify all the relevant risks.

If business and fraud risk factors are not identified by the auditor, they will not be assessed or documented, and an appropriate audit response will not be designed.

This is why well-designed risk assessment procedures are so important to the effectiveness of the audit.

These risk assessment procedures also need to be performed by the appropriate level of staff.

Financial Statement Disclosures

In assessing risks, disclosures in the financial statements are also taken into account.

Disclosures in the financial statements of SMEs may be less detailed or less complex (for example, some financial reporting frameworks allow smaller entities to provide fewer disclosures in their financial statements).

However this does not relieve the auditor of the responsibility to obtain an understanding of disclosures and assess the risks of material misstatement in disclosures that are required.

Ability to Evaluate Management’s Response(s) to Risk

A key step in the risk assessment process is to evaluate the effectiveness of management’s responses (that is, management’s control design/implementation), if any, to mitigate the identified risks of material misstatement in the finan